Implementable Quantum Bit-String Commitment Protocol 
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Quantum bit string commitment[A.Kent, Phys. Rev. Lett., 90, 237901 (2003)] or QBSC is a variant 
of bit commitment (BC) . In this paper, we propose a new QBSC protocol that can be implemented 
using currently available technology, and prove its security under the same security criteria as 
discussed by Kent. QBSC is a generalization of BC, but has slightly weaker requirements, and our 
proposed protocol is not intended to break the no-go theorem of quantum BC. 
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I. INTRODUCTION 



Quantum bit string commitment (QBSC) was pro- 
posed by Kent[3j, as a generalization of bit commitment 
(BC). The fundamental goal of QBSC is the same as that 
of BC; that is, the sender first sends evidence of assigned 
data over a communication channel without revealing the 
actual data. Then, after an interval, the sender reveals 
the data and the receiver verifies that the data have not 
been modified. 

The difference in QBSC is that the sender commits a 
string A = (ax, • • • , a„) with n > 1 in a single protocol 
session, and a limited (but certain) number of its bits are 
accessible by the receiver before the open phase. This 
situation is referred to as (m, n) bit string commitment 
m Ref.Q, where m (< n) is the maximum number of 
accessible bits. Conventional BC schemes correspond to 
the case where n = 1 and m = 0, and in this sense QBSC 
is a generalization of BC. 

In this paper, we propose a new QBSC protocol that 
can be implemented using currently available technology, 
such as single-photon sources and detectors, and then 
prove its security. The main difference from the previ- 
ous protocol is in the quantum measurement procedure 
performed by the receiver to verify a commitment. In 
our scheme, the receiver is allowed to perform the mea- 
surements in the commitment phase using randomized 
bases, which means that it is not necessary to preserve 
the quantum state until the open phase. 

Although QBSC is a generalization of BC, the security 
level that it achieves is slightly weaker than that of BC 
unless m — 0. We would like to stress that our proposal 
is not intended to break the no-go theorem of Lo-ChauJ^ 
and Mayers |6j, which states that if one takes full advan- 
tage of quantum computers and quantum communication 
channels, any type of nonrelativistic BC scheme can be 
attacked|l7j. Our ultimate goal is to devise useful and 
secure quantum cryptographic schemes that do not rely 
on BC. 

The no-go theorem of BC often makes people think 
that it might be impossible to create any useful crypto- 
graphic protocols based on quantum theory, except quan- 



tum key distribution (QKD). This is mainly because BC 
is one important building block in a whole list of interest- 
ing tools, such as multi-party protocols or zero-knowledge 
proof, rooted in classical cryptology (see e.g., Ref.00])- 
However, as pointed out in Ref.|3|], we are not yet able 
even to characterize the range of cryptographic tasks for 
which perfectly secure quantum protocols might possibly 
exist. Thus, we assume here that there must be distinct 
security notions that are unique to quantum cryptogra- 
phy, and seek protocols that do not necessarily have a 
classical counterpart. 

This paper is organized as follows. In Section [HI we 
briefly review some of the results by Kent 3], including 
the basic structure of QBSC and its security criteria. 
Subsequently, we describe the proposed protocol in Sec- 
tion IIIII and prove its security in Section IIVI Then in 
Section [V] we briefly comment on the implementation 
and finally conclude in Section IVll 



II. PREVIOUS METHOD 

The original QBSC was proposed in Ref.[3j, with two 
example schemes, called Protocol 1 and Protocol 2. Be- 
fore presenting our protocol, we briefly review the results 
by Kent in this section. Both of the example protocols 
share a simple basic structure, as follows. Throughout 
this paper, we will call the sender Alice and the receiver 
Bob. 



A. Basic Structure of Kent's Scheme 

1. Procedure 

Alice and Bob proceed as follows. 
Commitment Phase 

1. Alice chooses a bit string A = (a\, . . . , a n ) to be 
committed to and sends Bob the corresponding 
state 
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2. Bob preserves the received state \^a)- 
Open Phase 

1. Alice unveils A to Bob. 

2. Bob verifies A by a projective measurement on 
\^a)- If the outcome is consistent with A, he ac- 
cepts the commitment, otherwise he rejects it. 

The exact form of the state \^a) differs depending on 
the type of protocol and will be given below. 

2. Security Requirement 

For BC, there are two security requirements, which are 
called the concealing and binding conditions |9j. Similar 
notions are also used for QBSC, although with somewhat 
relaxed restrictions Q. 

- Concealing Condition. The receiver can access 
only a limited number of bits in the committed 
string A before the open phase. 

The number of accessible bits is referred to as m in 
Ref.Q. 

- Binding Condition. It is unlikely that Alice will 
change the content of her commitment A after the 
commitment phase. 

Note that for BC schemes, Bob is assumed to gain no 
information whatsoever regarding committed bit b until 
Alice unveils it, whereas in QBSC perfect concealment is 
dispensed with; Bob is allowed to extract a certain but 
limited amount of information from A. 

The meaning of the term 'unlikely' in the definition of 
the binding condition differs in the two protocols. This 
point will be discussed below. 

As to the possibility of each player cheating, Alice 
cheating puts the binding at risk and Bob cheating corre- 
sponds to concealment. Throughout this paper, we con- 
sider only cases where either one of them is cheating, but 
not both. Thus, the binding and concealing conditions 
can be discussed separately. 



3. Measurement by Bob 

When considering Alice's cheating, we denote the 
quantum state sent to Bob as a density matrix p, since in 
general, Alice would be likely to use a randomized strat- 
egy or send an entangled state. Note here that whatever 
strategy Alice follows, once she transmits the quantum 
state to Bob, the density matrix p is fixed. Honest Bob 
verifies Alice's commitment by performing a projective 
measurement of p using an orthonormal basis that in- 
cludes \^a)- Bob then accepts it as a correct commit- 
ment of string A with the probability 



B. Example Protocols 

1. Protocol 1 

Define qubit states 

tpo = |0), Vi = sin0|O) +cos0|l) . 

Alice sends particles in the states ifj ai , ■ ■ ■ , "4>a n for A = 
(oi, . . . , a„), a,i G {0, 1}. In other words, she transmits 
to Bob the state \^a) := \ip ai ) <g> • • • <g> \ipaj- Here 9 e K 
is a constant that is determined according to the security 
parameter. 

a. Concealing Condition From the Holevo bound0, 
the information m that is accessible by Bob is bounded 
by 



m < S(p) = 



Ho 



1 



sin ( 



(2) 



where H-z(x) = — xlogx — (1 — x) log(l — x). Hence m 
can be arbitrarily small by adjusting 0. 

b. Binding Condition. In Protocol 1, binding is dis- 
cussed for each bit separately. Let pj = (ipj\pi\^j) be the 
probability of Bob accepting a revelation of j for the ith 
bit. We have 

P° +Pl < cos 2 [(tt - 29)/ 4] + sm 2 [(n + 29) /A] , (3) 

where the RHS can again be chosen arbitrarily close to 
1 by choosing suitable 9. In general, the smaller 9 is, the 
stronger the binding becomes; simultaneously, however, 
concealing becomes weaker, as can be seen from Inequal- 
ity (0). Thus, 9 needs to be chosen with this balance in 
mind. 



2. Protocol 2 

In Protocol 1, as m in (J3J is in the same order as 
n, most bits from A are accessible by Bob, because the 
amount of data encoded per qubit is rather small. Thus, 
another protocol at the other extreme with a much higher 
encoding rate is considered here . 

The basic idea here is that instead of using qubits, 
one encodes A into a general D-dimensional vector space 
Hd = C D /C. Thus, one chooses O (exp(const.D)) states 
{|*a)} out of H D . 

a. Binding Condition. In Protocol 1, we discussed 
bitwise security; here we take a different approach. 

Definition 1 Take an arbitrary value ofrQ'Z and e£l 
(e, r > 0). A QBSC protocol is binding if, by choosing 
a large enough n, the following inequality holds for arbi- 
trarily chosen A\, . . . , A r and p, 



^Pr^ilp] < 1 + e 



(4) 



Pt[A\ P ] = (I-aHI-a) 



(1) 



Here, n is the length of the bit string that is to be com- 
mitted. □ 
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Intuitively, this definition can be illustrated as follows. 
A cheating Alice might want to postpone her decision 
by selecting x patterns of bit strings A\, . . . , A x in the 
commitment phase. Then, later in the open phase, she 
could unveil any desired string among them. In such a 
case, the maximum probability of her success is less than 
l/x if x < r, and is less than 1/r if x > r. 

In fact, it can be shown 3] that if the committed states 
a) are chosen to be approximately orthogonal: 

|(*a|#A')| < sintf = e <1 for \JA ^ VA' (5) 

the above binding condition J3J is true for e < (r — l)e. 
That is, if one can construct approximately orthogonal 
states |^a)i the binding condition is automatically guar- 
anteed. 

b. Approximately Orthogonal States. In this proto- 
col, one needs to choose exp(const.-D) states \^>a) out of 
D-dimensional vector space while keeping approximate 
orthogonality as in J^J. Although this seems impossi- 
ble at first sight, interestingly, it can in fact be eas- 
ily achieved by using classical error-correcting codespdj. 
One example is as follows. 

Take an error-correcting code E : {0, 1}™ — * {0, l} m 
with information rate R = n/m and minimum distance 
d and let 5 = d/m. Next choose quantum states \h A ) € 
C 2m /C corresponding to string A S {0, 1}" as: 

\h A ):=-=J2\i)®\Ei(A)) . (6) 

Then, as |(/ia|/M')I < (1 — $) f° r A ^ A', an arbitrarily 
small e can be chosen by defining \^a) as \^f A ) := \h A ) <B> 
■■■®\h A ). 



Therefore, we cosider here whether Bob can distinguish 
p sufficiently accurately without knowing A, because if 
that is the case, Bob does not need to preserve p for a 
long period. 

In order to actually do this, we change Bob's verifica- 
tion procedure. That is, Bob measures p as soon as he 
receives it using randomly chosen orthogonal bases, and 
then stores the result until the open phase. Although 
much less information is obtained in this way than is 
obtained by directly comparing p with I^&aK^aI) it is 
enough to detect cheating by Alice, as we will show in 
Section llVl 

A. Quantum State for Encoding 

First we define the quantum state |^a), which is used 
as a commitment of the string A. 

1. Error-Correcting Code 

Throughout this section, we assume that string A is 
not necessarily a bit string but is in general a q-axy string 
A — (ai, . . . , a n >), di G {0, . . . , q— 1}. If the original data 
are a bit string, one needs to transform them into a q- 
ary string using some appropriate surjective mapping. In 
this case, A stands for the data of n = \n' log 2 q] bits. 

Then we fix a q-axy classical (N, n', d) error-correcting 
code : 

E : A h- E{A) = {ex, . . . , e N ) , e {0, . . . , q - 1} . 

The sender stretches the string A into a q-axy string E 
of length N using this error-correcting code. 



III. PROPOSED PROTOCOL 

The protocols described in the previous section are cer- 
tainly significant, in that they achieve a completely new 
type of security by using quantum mechanics. However, 
it seems almost impossible to implement them using cur- 
rent technology. There are two main reasons. 

1. Bob needs to preserve the quantum state 1^^) as 
it was created by Alice, until the open phase. 

2. In Protocol 2, highly entangled states, such as \h A ) 
given in JSJ, are necessary. 

In particular, the first point seems the more difficult to 
overcome. Thus, we propose a modified version of QBSC 
that can be implemented, and subsequently prove its se- 
curity. 

In Kent's protocol, Bob needs to preserve the quan- 
tum state p as it was sent from Alice in the commitment 
phase until the open phase. This is because Bob verifies 
p by projective measurements using an orthonormal ba- 
sis including after Alice has unveiled string A. 



2. Quantum States of 'Particles' 

The commitment \^ A ) takes the form 

|*a) = |*js(A)> :=|ei)®---® \e N ) , (7) 

where each |e$) is a D-dimensional vector. That is, the 
sender commits by sending N 'particles' having inter- 
nal degrees of freedom in a D-dimcnsional vector space 
Hd = C D /C Each q-ary value is encoded into this 
D-dimensional space of the i th particle. 

We use the same set of Z)-dimensional states for each 
particle and denote them as 

|0>,---,|?-1) £H D . (8) 

Hence, Eqn.Q) means that the i th particle has e t th states 
of ©. The q states of © are all distinct but do not 
necessarily form an orthonormal basis. 

It is assumed here that D satisfies q = ID for / 6 Z, 
and that the states of (JSJ can be grouped together into I 
types of orthonormal basis M(i), i = 0, . . . , I — 1 

M(i):={\i;0),...,\i;D-l)}, (i;j\i;k)=S jk (9) 
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Previous Protocol 



Proposed Protocol 



Alice 




Open Phase 
A 



A 



Bob 



-► P 



Preserve 



▼ 

P 



Measurement using A 



Alice 



Bob 



■> P 



Measurement 
without knowing A 



Compare A and the 
result of measurement 



FIG. 1: Differences between the previous and proposed protocols. 



with 

\iD + j) = . 

Also, for the sake of simplicity, we assume that the or- 
thogonal bases M(i) are symmetric under a finite group 
G that acts onHc. In other words, for any Q < i < I — 1, 
g G G, there exists < i' < I — 1 satisfying 

gM{i) :={R(g)\i;0), R(g)\i;D - 1)} = M(i') , 

(10) 

where R is a representation of G in Hv- In Ean. (|10ll . 
states are identified if they differ only up to a phase of 
complex number. 



1. Alice reveals A to Bob. 

2. Bob computes the codeword E(A). 

3. Bob verifies the following condition for each particle 
1 < i < N : 

- If the basis that he chose is correct, i.e., 
\ei) € M(si), he obtains |e.;) as a result of 
his measurement. 

4. If the above condition does not hold for any i, Bob 
rejects the commitment, otherwise, he accepts it. 

C. Differences from Kent's Protocols 



B. Protocol 

Alice and Bob proceed as follows. 
Commitment Phase 

1. Alice chooses a q-&ry string A = (ai, . . . ,a n r) to 
which she is committed and computes the corre- 
sponding codeword E(A) — (ei, . . . , ejy). 

2. Bob chooses a ^-ary random string 

S=( Sl ,...,s N ) e {0,...,/-!}^. 

3. Alice sends N particles |ei), . . . , |eAr) to Bob. 

4. Bob performs measurements on each received parti- 
cle | e^) with the basis M(si) and records the result. 

Open Phase 



As stated earlier, Bob does not need to preserve the 
quantum state p until the open phase as he examines p 
in the commitment phase. By using randomized bases, he 
selects correct bases in a probabilistic way, and is there- 
fore able to verify Alice's commitment confidently. 

In addition, players only need to be able to create 
and detect Z?-dimcnsional quantum states, and thus the 
highly entangled states, e.g., \Ha) given in ©, are un- 
necessary. For instance, the case of D = 2 can be imple- 
mented using single-photons. 

Error-correcting code is used here to ensure approxi- 
mate orthogonality of states \^e(A)) as m Kent's proto- 
col (c./., Eqn.©). Indeed in our protocol, Alice sends 
\^E(A)} ■— |ei) <8) • • • <g> |ejv), which satisfies 

VAVA' (A ? A* -» \(* E (A)\*E(A>))\ < P d ) ■ (11) 

Here (3 is the maximum value of the inner product of the 
particle states defined in JSJ), i.e., |(e|e')| < (3 for Ve ^ e' 
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(see also Paragraoh llV B 2~c|) . In the next section, we will 
exploit this property to prove the binding condition. 



IV. SECURITY EVALUATION 

Now we will prove the security of the proposed scheme. 
Throughout this section, we consider an ideal case with a 
noiseless channel and error-free detection. (For non-ideal 
cases, see Section W\) 

As to what each player can do in quantum proto- 
cols, we follow the definition given by Yao[3 

and Lo- 

Chau[15j. That is, quantum protocol is formalized in a 
Hilbert space Ht = Ha ® Hb ® He, where Ha (resp. 
Hq) refers to the space in which Alice (resp. Bob) can 
operate. He is the communication channel. Every step 
of the protocol is done by unitary operations by Alice on 
Ha <8> He and those by Bob on Hr <X> He, alternately. 



if he chooses a wrong basis, he may accept Alice's com- 
mitment no matter what he obtains as a result of his 
measurement. Thus, averaged over the random variable 
S, the acceptance rate by Bob takes the form 

Py n=1 [A\p] ■= (l - y) + j<ei|p|ei) = Trp7r(ei) , (12) 



where 



,T(M := (l-iV + i| e ><e| 



l-y)lzj + y|»;i)<i;i|=:^(*;j) ■ (13) 



Here Ijj is a unit matrix in He- 

Similarly for N > 1, i.e., if Alice sends more than one 
particle, the acceptance rate takes the form 



Pr[A|p] = TrpP E 



(A) 



A. Concealing condition 



with 



In the proposed protocol, nlog 2 q-bit data are encoded 
in Alog 2 -D qubits. Thus, the number of bits accessi- 
ble by Bob, to, satisfies to < N log 2 D owing to the 
Holevo bound. Hence, the protocol is concealing when 
the bit number of A is greater than the qubit number, or 
NlogD < nlogq. 



B. Binding Condition 



P E = 7T (ei) <g> • • • ® 7T (ejv) • (14) 

b. What We Need to Prove. The sum of the accep- 
tance rates for A\, . . . , A r , which appears on the LHS of 
(0J, takes the form 

^Pr[A i |p]=Tr(pQ) (15) 

i 

with 



In the remainder of this section, we will prove the fol- 
lowing theorem. 

Theorem 2 The proposed protocol is binding in terms of 
Definition 1. 



1. Basic Idea of the Proof 

The basic idea of the proof is the same as given in 
Ref.Q- Namely, we exploit the approximate orthogonal- 
ity Hll|) of \^a) (see Eqn.JSJ and the discussion nearby). 
However, there is a complication, owing to the difference 
in the form of the probability Pr[Aj|p]. In our protocol, 
Pr[A;|p] takes a different form, as the receiver performs 
measurements on a randomly chosen orthogonal basis, 
whereas in Kent's protocol, the receiver can make use of 
the string A unveiled by Alice. 

a. Form ofPi[A\p]. The probability Pr [A \p] is given 
as follows. First, for the sake of simplicity suppose that 
N = 1, that is, suppose that Alice sends only one parti- 
cle. Then Bob chooses the correct basis for measurement 
(satisfying e±(A) S M(si)) with probability l/l, in which 
case he can confidently reject Alice's commitment if the 
outcome is different from |ei(A)). On the other hand, 



Q ■■= P E ( Al ) + ■ ■ ■ + P E (A r ) ■ (16) 

With this operator Q, what we need to do is to bound 
TrpQ from above for an arbitrary density matrix p. How- 
ever, it is obviously sufficient to consider instead the 
upper bound on (^IQ^) for an arbitrary pure state 
\ty). Moreover, in order to avoid complications from 
state normalizations, we do not require |>I') to be normal- 
ized and instead discuss the upper bound of the quantity 
(*|Q|*>/<*|*>. 

2. Vector Subspace V(E(Ai)) 

In order to prove Theorem 2, it is convenient to di- 
vide the D^-dimensional space Hjjn , which consists of 
the degrees of freedom of the iV particle used for com- 
mitment. We here focus especially on the eigenvectors of 
Pe(Ai) with relatively large eigenvalues, as these vectors 
contribute most to (^\P E ( Ai) |*) included in (*|Q|*). 

a. Eigenstates of operator Pe ■ The eigenstate of Pe 
with eigenvalue 1, which is the largest, takes the form 

:= |ei) ® • • • ® \e N ) 

= \iy,h) ® ••• <8> Kjv; j'at) • (17) 
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This becomes the state that Alice sends as her commit- 
ment of the g-ary string A, if we let E = (e 1; . . . , e^r) 
equal the codeword E(A) of A. 

It is evident that all eigenvectors of Pe, including \^e) 
take the form 

I^AJ) := |»i;ji + Aji)®---®|i w ;jtf + Aj.y) , (18) 

since Pe is a tensor product of the smaller operator 
7r(ej)'s defined in Ean. (|13|l . which act on particles. Here 
A J = (Aj'i, . . . , Aj'jv) is an arbitrary Z?-ary string, and 
the sum j + Aj appearing on the RHS of (|18|l is assumed 
to be in modulo D. Recall that, as defined in ©, for 
each i, the vectors |i; 0), . . . , \i; D — 1} form an orthonor- 
mal basis in the internal D-dimensional vector space Ti d 
of a particle. Hence, the states \^e] A J) obviously form 
a complete orthonormal basis of the vector space 
formed by N particles. 

Roughly speaking, AJ indicates the difference of 
|* B ;AJ) from |\? E ). The eigenvalue of |* B ;AJ) 
decreases exponentially with the Hamming weight 
HW(AJ), or the number of nonzero elements of the AJ: 

P E \* E ; AJ) = (1 - 1/0 W(AJ) |* B ; AJ) . (19) 

For example, \^ E ) = AJ) for AJ = 0. 

b. Vector subspace V{E(Ai)). Then we define 
V{E{Ai)) as a vector subspace of Hen, generated by 
eigenvectors I^^A;)! AJ) with /JW-^AJ) < a. The con- 
stant a here is an integer that determines the size of 
the subspace and is supposed to satisfy < a < d (see 
Fig0). That is to say, any vector |I\) G V(E(Ai)) can 
be expanded as 

|r,)= E w iAJ \* EiAi y,AJ) (20) 

{A J | HW(AJ)<a} 

The appropriate value of a will be discussed later. 

c. V(E(Ai)) 's are approximately orthogonal. In fact 
the subspaces V(E(Ai)) , s with different values of i are 
approximately orthogonal to each other. Indeed, if 
we pick two elements of vector basis l^E^y, AJ) an d 
\^ E(Aj)', AJ') from different subspaces, i.e., for i ^ j, we 
have 

|(tf E(Ai) ;AJ|tf E(A . ); AJ')| <p d - a , (21) 

where (3 is the upper bound on the inner products of par- 
ticle state |0), . . . , \q — 1) defined in ©. In other words, 
(3 := max e ^ e > |(e|e')| < 1. 

Inequality (|21|l follows because when the two states ap- 
pearing on the LHS are represented using particle states 
as \^E(Ai)] AJ) = \ei) <g) ■ ■ • <g> |e„) and \V E(Aj y,AJ') = 
|ei)<8>- • -®\e' n ), \ei) and |e^) are different for at least d— a 
values of i, owing to the minimum distance property of 
classical error correcting code. This is the main reason 
for introducing classical error-correcting code (see FigEJ . 



3. Decomposition of \ty) 

a. Subspace V and V 1 - . Next we define another sub- 
space 

V = V(E(Ax)) H h V(E(A r )) . 

That is, any element of V is given by the sum of the 
elements of V(E(Ai)), . . . , V(E(A r )). As can be seen 
from the construction of V(E(Ai)), V is the subspace of 
the quantum message space TL^n which contributes by 
far the most to 

Then we decompose \^) into V and V , where V 1 - 
denotes the orthogonal complement of V. 

|*> := |* v ) + |* x ) = + 1*0 . ( 22 ) 

i 

EKI 2 - 1 (23) 

i 

with |*) G V, G V 1 - and v t G C. The state 

\Ti) is assumed to belong to V(E(Ai)) and can thus 
be expanded as in Ean. (|20|l . We also assume that each 
\Ti) is normalized, i.e., the coefficients u>i.A./ defined in 
Eqn.(|20J) satisfy 

E KajI 2 = i . 

{AJ | HW(A,I)<a} 

On the other hand, we do not require to be normal- 
ized. Furthermore, \^v) is not a unit vector in general, 
although the coefficient v^s is normalized as in Ean. (|23ll . 
This is because |r^) 's with different values of i are not 
exactly orthogonal as discussed above. It should also be 
noted that there is arbitrariness in the choice of ow- 
ing to this non-orthonognality. 

It is still obvious that any vector |^) G H-d n can be 
expanded as in Ean. (|22|l with appropriate rescaling. 

b. V 1 - contributes only little. By definition, 
satisfies (^vH^-O = f° r an Y \^v) G V, and it is ap- 
parent that for any i, G \V{E(A i ))] L (see Fig©. 
This means that \^±) can be expanded by the eigenstates 
\^E(Ai) \ AJ) with Hamming weight HW(AJ) > a. 

Thus, it immediately follows that ||PB(^. i )|"5 r x)|| < (1— 
l/l) a and we see that |vpj_) contributes little to (\&|Q|$) 
if a is sufficiently large. See Lemma 3 for a more rigorous 
argument. 

4- Outline of the proof, and lemmas 

We have seen above that for large enough d and a 
the subspace V(E(Ai))s are approximately orthogonal to 
each other, and |*j_) G V 1 - contributes little to (vp|Q|vp). 
Then, the following inequalities should hold: 

(*|Q|*) = E^i^Voi*) 
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V 




FIG. 2: A graphical image of vector spaces V and V . 
V(E(Ai)) is the vector subspace generated by P E ^ A .^a eigen- 
states with eigenvalues larger than (1 — 1/0™- Thus, the pa- 
rameter a serves as the radius of each V(E(Ai)). Parameter 
d denotes the separation between each V(E(Ai)). V is the 
sum of all V(E(Ai))'s and V ± is its orthogonal complement. 

~ Y^lvil'iTAP^Ti) <^\vi\ 2 = 1 , (24) 

i i 

(*|*> = (^|*W + (*±|*±)^5Zkl 2 (r i |ri) = i ! 

i 

(25) 

which means / (*|*) ~ 1. 

In the subsequent subsection, we will use this idea to 
prove Theorem 2 rigorously, but first we prepare two lem- 
mas that are convenient. First we show that the contri- 
bution of is indeed small. 

Lemma 3 

For any i and s, (s > 0, s € 1), 

(*±\{P E{Ai )} s \*±) < (1-1/0 S "(*±I*±> , (26) 
11^^)1^)11 < (1 — 1/0" II |*L>|| • (27) 

Proof. (See also Paragraph IIVB3 bl and Figl^l) As 

e V 1 - C [V(E(Ai)] X , can be expanded 

with the eigenstates \*S?e',AJ) with Hamming weight 
HW(AJ) > a. Note that if HW{AJ) > a, from the 
definition of 7r(e) given in Ean. (|13() 

(Pe) s \^e; AJ> = (i - i/0* w(aj) |*b; aj) . 

From this, Inequality l|26(l immediately follows. Inequal- 
ity (|27() can be shown by setting s = 2 in (|26(l as the 
operator P B is Hcrmitian. □ 
Next we present the rigorous version of Inequality (|24|l . 

Lemma 4 

(*v\Q\Vv) < l + r{r-l)[3 d - a F a {N) , (28) 
-1| < (r-l)^- Q F Q (JV) , (29) 



where, 

Fa (N) 

Parameter (3 is defined among particle states \e), |e') and 
operater n(e"), which acts on them: 

(3 := max |(e|7r(e")|e')| < 1 ■ (30) 

-i(e= e'= e") 

TTie maximum value of Eqn. \30)) is evaluated under the 
condition that the triplet e, e', e" does noi satisfy e = e' = 
e". 

Proof. 
Note 

(*tHQ|*v) = El^l 2 ^!^)!^) (3i) 
+ £ Wiffc^iP^jir*) . 

{•i,j',fe|-.(i=j'=fe)} 

The first term on the RHS is clearly less than or equal 
to 1. The second term is the sum of the cross terms gen- 
erated by vectors from different subspaces V(E(Ai)) , s. 
These should be negligible for a large enough d, since in 
that case V(E(Ai))s are approximately orthogonal. 

We will evaluate this second term exactly below. From 
Eqn. (J201, we have 

(r,-|p B(Ai) |r fc ) (32) 

= Yl w ]AJ w kAJ e( Aj Y^J\Pe(A^ E(A k y,^J') ■ 

AJ,AJ' 

The term appearing on the RHS can be bounded from 
above as 

\{* B(Aj y,AJ\P B(At) \V B[Ah y,AJ')\<l3^ a , 

since the triplet i,j,k does not satisfy i = j = k. In ad- 
dition, because the Hamming weight of AJ is bounded 
from above as HW(AJ) < a, there are only F a (n) pat- 
terns of Wk,Aj (and equivalently for uij^j). Thus, max- 
imizing the RHS of Ean. l32|) using the Lagrange multi- 
plier for u>j,Aj and Wk.Aj', we find 

KT^Pe^T^I < F a (N)p d - a . 

Applying the Lagrange multiplier again on x>i , we obtain 
an upper bound for the second term on the RHS of 131( 1. 
and Inequality (|28(l can be proved. Inequality l|29l) can 
be proved as well in a similar manner if one notices that 
maxe/e' |<e|e')| □ 

5. Proof of Theorem 2 

From the above two lemmas 
(¥|Q|*) 

< (tfy|Q|tfy) + 2|<*y|Q|*L>l + 

< 1 + r(r - l)ei + 2r (1 + (r - l)e x ) e 2 S + re 2 S 2 
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and 

(tf |tf> = (*V|¥y) + > 1 - (r - l)ei + S 2 , 

where 

£l = f3 d - a F Q (N) , e 2 = (1 - 1/Z) Q , (33) 
5 = (#_l|#l) 1/2 • 
(c./., Inequalities JUJ) and (J2EJ0, Thus, 

(*IQI*) 



I*) 



< 



1 + r 2 ei + 2re 2 (l + re^S 1 + re 2 S 2 
1 - rei + S 12 
1 + r 2 ei - re 2 (l - re x ) + re 2 (l + re x )5 



= re 2 



=: re 2 



1 - rei + S 2 



Ci + c 2 g 

S 2 " 



C3 



Assuming ci,c 2 ,C3 > and differentiating by S, we see 
that 



^Pr[AH<re 2 + i ^ + C ^ + Cl =l + £ . (34) 

Here, as ci, C3 ~ 1 and c 2 can be chosen arbitrarily small, 
e on the RHS can be arbitrarily small. □ 



6. Choice of Parameters 

Next, we show that e given in l|34|l can actually be 
arbitrarily small by choosing sufficiently large N. Here, 
we do a very rough estimate without worrying about the 
tightness of the bound. First assume rei < 1/2 for ei 
defined in then 



yjc\ + C Z C% + 



Cl 



C3 



< (l + 2rei)(2ci + c 2 ) 



and immediately we have 



Pr[Aj|/9] < 1 + 4re 2 + 4r 2 ei 



(35) 



We will prove below that the second and the third term 
on the RHS of Inequality (|35|l can be < e/2 respec- 
tively. As to the second term, it suffices to let a — 
log 1 _ 1 /; (2~ 6 e/r). As to the third term, first note 

F a (N)<(D-l) a exp[N-H 2 (a/N)} (36) 

for N ~ a + 1 > N/D (see e.g., Ref.jl^, Appendix A). 
Using Inequality (|36|l . we see that the third term on the 
RHS of (|35|l can be bounded from above if 



N 



ffa(£) +dlog/3<log 



e(3° 



8r 2 (D- l) a 



(37) 



From a well-known theorem of the theory of error- 
correcting codes, ./V can be made arbitrarily large while 
keeping constant the information rate n'/N and the rel- 
ative minimum distance d/N . The RHS of l|37|l being 
a constant and log/3 being negative, Inequality l|37(l can 
always be satisfied by choosing a large enough N. 



V. NOTES FOR IMPLEMENTATION 

As mentioned earlier, our protocol can be implemented 
using currently available technology. For example, the 
case of D = 2 can be realized by single photon sources 
and detectors. Probably the most familiar way of en- 
coding is the BB84-like states that are often used for 
quantum key exchange 0, 



|0> = 
l 2 ) = 7f 



|1> = 
l 3 ) = 7f 



1 



which corresponds to q = 4, D = 2, I = 2, and (3 = 3/4. 
As one can see from the theory of error-correcting codes, 
for sufficiently large N, there exists a code E with the 
information rate n'/N that is virtually equal to 1. Thus, 
in this case, a secure protocol can be constructed with 
m/n ~ 1/2, where m is the bit number accessible by the 
receiver before unveiling. 

For example, take r = 2 10 and e = 2~ 10 , which cor- 
respond to a > 26. Then, it is guaranteed from the 
Gilbert- Vershamov bound (see Ref.[I3|) that there exists 
a linear code with q = 4, N = 10 5 , d/N = 10~ 2 , and 
n'/N > 0.95, for which Inequality gJJ holds. In this 
case, m/n < 0.53 is satisfied. 

It should be noted, however, that in real life there 
are problems with information losses in optical channels 
and with the detection rate of photon detectors. Conse- 
quently, Bob might end up rejecting Alice's commitment 
even when an honest Alice has sent the correct commit- 
ment \*S?a)- 

Still, we can overcome these problems by modifying 
steps 3 and 4 of the open phase fSec llll B|) as follows. 
First take an integer parameter t > 0, the exact value 
of which is determined by the noise level of the channel 
and the detection rate. Then change steps 3 and 4 of the 
open phase as follows: 

3. Bob verifies the following condition for each particle 
1 < i < N : 

- If the basis he chooses is correct, i.e., |e<) £ 
M(si), he obtains |e») as a result of his mea- 
surement. 

Then, he records as y the number of particles that 
do not satisfy the above condition. 

4. If the above condition does not hold for more than 
t particles, i.e., if y > t, then Bob rejects the com- 
mitment. Otherwise he accepts it. 
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In other words, Bob accepts Alice's commitment even 
when up to a certain number of particles does not meet 
the condition of step 3. In this case too, the security of 
the protocol can be shown in almost the same way as in 
the previous section |l3j. 

VI. CONCLUSION 

In this paper, we have proposed a new QBSC protocol 
and shown that it is secure in terms of the same secu- 
rity requirements as discussed in Ref.0]. Our protocol 
has the merit that it can be implemented using currently 
available technology such as single-photon sources and 
detectors. 

An example of future work is the optimization of the 
protocol presented here. As discussed in Section if 
the protocol is implemented using BB84-like states, the 



classical error-correcting code E needs to be of the order 
of N ~ 10 5 in length. Although possible in principle, it 
is not very practical to calculate a generator matrix of 
this size using currently available computers. Instead, it 
is much more worthwhile to optimize the protocol or the 
security proof so that we can ensure the same level of 
security for smaller N. 

For example, the estimate given in Section IIV B 61 is 
not yet tight, since there we were interested mainly in 
proving that the protocol is in fact possible. Thus, by 
using a better strategy, we might be able to obtain more 
security for shorter bit length n. Note, in particular, that 
even with the ratio m/n of the accessible bits being fixed, 
there is a variety of choices of parameters, such as q, D, 
and I. It will be interesting to see how we can better 
optimize the protocol, whether by making better choices 
for quantum states |0), . . . , \q — 1) or by optimizing the 
classical error-correcting code E. 
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